The Dutch government has formally opposed the introduction of backdoors in encryption products.
A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.”
The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.
The word “currently” worries me, but this is good news.
So now OpenSSL is government funded just like our news channel, that’s just great…
Really? Come on. It is a good thing that they get some funding. There is nothing wrong with that, assuming there are no strings attached.
I’m normally not the paranoid type, but honestly the OpenSSL code is so widely acknowledged to be so difficult to work with (hence LibreSSL efforts) it would be really easy to sneak something malicious in, then “donate” some money to the project after its in.
Terrorism can’t be stopped by banning encryption. It can’t be stopped by banning guns. It can’t be stopped by always playing catch-up, being one step behind in an endless game of whack-a-mole. It can’t be stopped by creating oppressive laws that are ineffective against those who don’t give a shit about them. People are no safer after they’ve been stripped of their protections and privacy.
Oppression is oppression, even when you try to hide it in `if you have nothing to hide, you have nothing to worry about`. People should always be suspicious of those seeking total authority & control. Human beings by their very nature are not trustworthy. The more power an entity is given, the worse the eventual abuse will be. There’s no justification for that.
Indeed, but I know what can: more than thirty thousand deaths per year in the US.
You can wish for government intervention as much as you like, but consider the GHD concentration camps in NL and germany, many of them is there, just because they dared to question the immigration policy. Did Theo van Gogh die for nothing? Equality/socialism is a scam to fool stupid people to pay for the rich and in the process kill all individualism and freedom.
How is this drivel in any way relevant?
The government grants subsidies and sponsors charity all the time. They figured encryption is important to today’s economy and liberty, and apparently it’s underfunded so they wrote a check.
It’s just too bad they went for a severely mismanaged project such as OpenSSL.
It is not charity if cumpulsion or mandates are needed to do so, then it is extortion. If i steal money from you to give to a cause i find worthy, is it moral?
Note: I’m assuming a few things here, so forgive me if I’m off a bit.
So from what I understand the governments (USA, UK, etc) would like encryption like the solution in this stack overflow:
https://stackoverflow.com/questions/597188/encryption-with-multiple-…
So only the intended recipient or the government can decrypt. There isn’t that much of a risk of a fourth party encrypting it. Only weakening a cypher or RNG would do that ( which the NSA has done before).
But, anyways strong encryption is out there and available. You can’t put it back in the bag and tell everyone to forget they had access to it. I guess the only think they could do would be to force companies to not put the good stuff in by default.
Bill Shooter of Bul,
One can build very secure key escrow, but there is great resistance from people and manufacturers when we know what the NSA are up to. The “clipper chip” and Snowden debacles highlight this resistance.
https://en.wikipedia.org/wiki/Clipper_chip
Without key escrow, the NSA’s very existence depends on finding/creating vulnerabilities and exploiting those in secrecy. Ultimately this state of affairs leaves our products and systems open to 3rd party attacks that the NSA knows about. To the NSA, snooping is more important than the security of our protocols, but that’s a dangerous game because it means our enemies are able to snoop us too.
Right, this is what confuses me. The situation the Dutch is describing is a world without key escrow. The world we currently live in where our products and systems are open to fourth party attacks. ( I’m assuming sender is first party, recipient is second party, and government is third party, and non governmental attacker is fourth )
I totally understand that the third party government with a key maybe shouldn’t be trusted an thus a reason why escrowing is a bad idea. But its not for the reasons that the Dutch government gives.
Bill Shooter of Bul,
…which kind of acknowledges an inherent truth that the Dutch government could not effectively control crypto even if it wanted to. On the other end, the Dutch know that weak crypto leaves everyone vulnerable, so why wouldn’t they advocate for stronger crypto to keep out hackers including the NSA. If anything to me it suggests that the Dutch government is representing it’s citizens in good faith.
Yes, the ministry mentions this in the PDF letter.
First they list all stakeholders and how encryption affects them. They mention how encryption is important to their economy, and to the government & citizens (DigiID stuff). All of which could be abused by criminals, terrorists and spies. Next they state the obvious problems for intelligence services but then they refer to the ECHR and state that individuals have a constitutional right to privacy which can only be violated for a legitimate cause and the violation needs to be proportional to that cause.
Then they mention how it’s currently not possible (especially not in an international context) to enforce an encryption system that can be decrypted by the police / intelligence services without compromising the security of communication/storage systems that benefit the Dutch economy and society.
Finally they state that the justice department will have to work with providers of those services anyway to make a legal case and therefore it doesn’t really justify to weaken encryption. So given all those trade-offs, they conclude it’s currently not desirable to take measures to limit encryption.
I agree with Thom that the ‘currently’ is a bit worrying, but it’s probably used to cover their ass and not give future ammo to the opposition in case things go terribly wrong.
Edited 2016-01-07 09:36 UTC
This must be the industry equiv of leaving the money on the night-stand on the way out afterwards..